The Pentagon, telecommunication giants and even the ABC are just some of the high-profile organisations that have reportedly left confidential information available online for anyone (with a little technical know-how) to find.
Leaving data exposed in this way poses significant privacy and security risks: individual’s personal details, such as home addresses, as well as sensitive business information are all on the line.
The cloud has been the common thread in all these recent incidents. More specifically, third party cloud storage. And often Amazon’s popular cloud platform Simple Storage Service, otherwise known as S3.
Words like “cloud”, “buckets” and “bots” have all been thrown following these incidents. But what do these terms mean? Here’s what you need to know.
What is the cloud, anyway?
Put simply, the cloud lets you store information on the internet.
Gmail, for example, is a cloud service. It holds onto all your online shopping receipts and email rants to your mum, and you can access it from any device you like.
Cybersecurity expert Troy Hunt suggested you think of the cloud as a commodity; like electricity or water, you turn it on and pay for how much you use.
“There’s a saying — cloud is just other people’s computers,” he said. “At the end of the day, whether it’s iCloud or Amazon S3, there are just rack and racks of servers sitting in data centres around the world and the [cloud providers] lay services over that they can turn on at will.”
This is appealing to many companies because it can be expensive to maintain your own servers locally. Instead of building a whole data centre, you simply pay these providers for more digital “room” when you need it.
Not to mention, cloud services can help you access special features like machine learning that are too complicated for some companies to build in-house.
What is a bucket?
Amazon calls buckets “the fundamental container” for online data storage on its cloud. They may contain passwords, logins and other details — anything the company wants held online.
Buckets can have specific security settings, which is where the problem begins.
Why is the data getting out?
In short, human error.
An Amazon spokesperson declined to comment, but in many cases, it appears the people in charge of these “buckets” of data simply used the wrong setting.
“In layman’s terms, it just had no password on it,” Mr Hunt said.
Bob Diachenko, head of communications at Kromtech Security Team, the cybersecurity company that claimed they discovered the ABC leak, said developers and engineers sometimes liked to grant public access to buckets.
They might need to get something “up and running quickly and don’t want to spend time configuring access controls and security-related issues,” he speculated.
“Also, developers want to test their code, so it’s easier for them to make the bucket public and dive into the work.”
What happens now?
It’s obviously not ideal for big organisations to keep leaving data publicly accessible by accident.
In early November, Jeff Barr (who has the title “Chief Evangelist” of Amazon Web Services) published a blog post detailing some new security updates on the S3 platform.
Among other changes, the company has added bright orange buttons to indicate when a bucket is “public”.
In Mr Hunt’s view, the issue is a little more complicated — mostly because humans are involved.
Cloud computing has made online storage available to anyone at a significant scale. In other words, “it’s fast, it’s easy, it’s cheap, anyone can do it”.
But given anyone can do it, people who aren’t necessarily technology professionals have been given a lot of rope to mess up.
Mr Diachenko agreed, but said this risk applied in almost every situation involving computing.
Technology manufacturers want to make the set-up process on their devices and software quick and easy, he pointed out. This means users aren’t always prompted to think about safety from the start.
“If you just click the ‘Next’ button several times, you’ll get a working, but not necessarily a security-compliant environment,” Mr Diachenko said.
Consider your own Facebook privacy settings — are you sure that the photos of your kids you share aren’t set to “public” for anyone in the world to see?